In order to use the gssproxy only the gssproxy daemon has to be started at boottime. Once this is done, the GSSAPI mechglue library will make sure all GSSAPI calls issued by an application are directed to the gssproxy service transparently. Depending on the configuration of the system, the gssproxy daemon will then allow or disallow access to cryptographic keys stored in keytabs on the system.

Two major features that are planned to be achieved for Fedora19:

rpc.gssd, the NFS client application, should be enabled to use the gssproxy. It will be possible to aquire tickets for kerberized NFS mounts given user keytabs.

gssproxy will offer Kerberos ticket renewal when user keytabs are available

Benefit to Fedora

The key benefit for Fedora will be that we can provide more fine grained control over controlling access of applications to highly sensible cryptographic key material (keytabs). This in general improves security on the system.

Scope

Work on the GSSAPI mechglue library is in progress but is currently not finished.

In order to properly load our mechglue library, some modifications to the system GSSAPI/Kerberos library (MIT) are required. Work on this has well progressed and is coordinated with upstream (MIT).

How To Test

Currently we use a test program (shipped with the main tarball) in order to do basic testing of our implementation. Once the mechglue interface is in place, any tests done for the GSSAPI interface itself would allow to test the gssproxy as well.

For the current testing you need to have a working KDC, one needs to create a keytab and gssproxy needs to be properly installed and configured.

User Experience

The usage of the gssproxy protocol and implementation is completely transparent for the user. Also applications do not need to be modified in order to benefit from the gssproxy.

Dependencies

The kernel will use the gssproxy interface.

Contingency Plan

In case the gssproxy is not complete by the end of the final development freeze, Fedora can just decide to not ship it.

Documentation

Release Notes

gssproxy is an opensource project that aims to improve GSSAPI usage from both the kernel (for authenticating remote file system access) as well as user-space applications. It does provide fine-grained access control on Kerberos keytab access and it overcomes various limitations the kernel had when dealing with Kerberos tickets.

Red Hat, Red Hat Enterprise Linux, the Shadowman logo, and JBoss are trademarks or registered trademarks of
Red Hat, Inc. or its subsidiaries in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.
The Fedora Project is maintained and driven by the community and sponsored by Red Hat. This is a community
maintained site. Red Hat is not responsible for content.